Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Control systems connected to the IIoT can pose another security risk. In their book, Warnings, Finding Cassandras to Stop Catastrophes, authors Richard Clarke and R.P. Eddy discuss the challenges surrounding smart Nest thermostats (Eddy and Clarke 2017). The Nest is essentially a thermostat connected to the Internet. The smart device includes software that learns user behavior and adjusts the temperature in a house (or a facility) independently. It also checks the Internet for the weather in the local zip code. Nest devices can connect to door locks, lights, window shades, and cameras, potentially allowing a significant degree of control over a home or facility. During a presentation at the IIoT World Conference, Lucian Niemeyer, the CEO of the Building Cyber Security Consortium, cited the Department of Defense concern that smart thermostats can be used as listening devices if they are hacked (Niemeyer 2021). Cyber threats to data centers include data compromise, exfiltration, and denial-of-service. Control system cyber threats to data centers have focused on the Internet-connected building control systems. However, there are other control system cyber threats to data centers that have not been addressed and have caused data center damage. Control system network vulnerabilities include the use of standardized communications protocols such as Modbus/TCP, BACnet, and SNMP. These protocols are demonstrably susceptible to cyberattacks and, in the case of Modbus, lack built-in cybersecurity. Hardware liabilities include the Aurora vulnerability (Meserve 2007), UPS systems, and Chinese equipment embedded in U.S. electrical infrastructure that is reportedly vulnerable to attack (Weiss 2021c). MONITORING RAW SENSOR DATA AND CONDITION: A PARADIGM CHANGE Monitoring process sensors in real time would shift control system cybersecurity from a network monitoring issue to an engineering issue. The monitoring of process control and sensor systems requires the ability to monitor higher frequency process sensor noise. However, COTS systems are slow, operating in seconds rather than at the milliseconds or faster frequencies necessary to monitor process control systems, which means that the noise indicative of sensor and process health is filtered with the higher frequency noise removed. Modern machine learning enables pattern detection of raw process sensor signals, which was previously impossible, allowing the physical state of sensors to be monitored and changes noted. This new capability can identify process anomalies, regardless of cause and independent of IP networks and their associated cyber vulnerabilities. It has been used in multiple industries, such as water and wastewater, power, chemicals, mining and building controls, for both predictive maintenance and cybersecurity. The sensor monitoring can be performed off-line, even if the SCADA systems, the OT network, are unavailable. Under this paradigm, IT malware, including ransomware, cannot reach the isolated process sensor monitoring system. The Taum Sauk dam failure in December 2005 illustrates how process sensor monitoring could potentially be used for early diagnosis of potentially catastrophic failures. The Taum Sauk dam is an earthen dam. Level sensors (similar to ones that could be used in facilities) were attached to the earthen sides of the dam. In September 2005 sensor attachments broke and the elevations of at least some of the level sensors changed, triggering erroneous low-level indicators. Because the level measurements were within acceptable range, the SCADA system accepted erroneous level indications as valid sensor inputs and subsequently turned on pumps that overfilled the upper reservoir. Until repairs could be completed, the control system programming was changed such that it would report a lower water level than the sensorsâ readings. Also, Warrick probes were attached to the inner reservoir rim as backup sensors. They should have shut down the pumps if the water reached them. In December 2005, the Warrick sensors failed to report a high water level because they had been placed too high. The dam collapsed this time (Association of State Dam Safety Officials undated). As a result, a billion gallons of water were released. If the electrical characteristics of the sensor signal had been monitored, it would have indicated that something had changed when the sensors pulled away from the wall. This information would ideally Federal Facilities Council Control System Security White Paper 13
